How To Discover Network Hosts With Nmap?

Hi. We started with nmap target specification. Now we resume with host discovery options.Host discovery is detecting hosts in the same or remote network. Generally we send a packet to the target host and then we get a response or not but some times we just listen and get packets from hosts. We decide host status according to response if we get it. There are some different ways to send packets.

nmap default (if no option is given) action for host discovery is icmp echo and time stamp, sync to 443 (https) and ack to tcp 80 (http)

-PR option is used for arp inspection so it just send arp request. In the second block we see target host network dump. The -sn option disable port scan.

List scan is a passive scan so we do not send packets to the network we just listen. As you can see output there is one host which is up but scan shows no one is up.

1

2

3

4

5

6

7

8

9

10

11

12

[root@dell~]# nmap -sL 192.168.122.0/24

Starting Nmap6.45(http://nmap.org ) at 2014-08-02 21:37 EEST

Nmap scan report for192.168.122.0

Nmap scan report for192.168.122.1

Nmap scan report for192.168.122.2

Nmap scan report foros1(192.168.122.3)

...

Nmap scan report for192.168.122.253

Nmap scan report for192.168.122.254

Nmap scan report for192.168.122.255

Nmap done:256IP addresses(hosts up)scanned in132.79seconds

No ping scan disables ping stage of scan. Normally a scan starts with ping to find live hosts and then start heavy port scan to the live hosts. But if you set this options it starts with heavy port scan for all specified hosts.

1

2

3

4

5

6

7

8

9

10

11

12

13

[root@dell~]# nmap -Pn u1

Starting Nmap6.45(http://nmap.org ) at 2014-08-03 07:33 EEST

Nmap scan report foru1(192.168.122.146)

Host isup(0.00077slatency).

rDNS record for192.168.122.146:openstack

Notshown:996closed ports

PORTSTATE SERVICE

22/tcp openssh

25/tcp opensmtp

49/tcp opentacacs

80/tcp openhttp

MAC Address:52:54:00:0D:B8:D7(QEMU Virtual NIC)

TCP Sync ping is another method for reliable scanning. To the given ports sync are send and got response if there is a host like RST or ACK. Here we scan for tcp 22

1

2

3

4

5

6

7

8

9

[root@dell~]# nmap -sn -PS22 192.168.122.0/24

Starting Nmap6.45(http://nmap.org ) at 2014-08-03 07:45 EEST

Nmap scan report foropenstack(192.168.122.146)

Host isup(0.00028slatency).

MAC Address:52:54:00:0D:B8:D7(QEMU Virtual NIC)

Nmap scan report for192.168.122.1

Host isup.

Nmap done:256IP addresses(2hosts up)scanned in4.88seconds

TCP Ack ping is like sync ping but as you guess ack and sync flags are set.

1

2

3

4

5

6

7

8

9

[root@dell~]# nmap -sn -PA22 192.168.122.0/24

Starting Nmap6.45(http://nmap.org ) at 2014-08-03 07:48 EEST

Nmap scan report foropenstack(192.168.122.146)

Host isup(0.00013slatency).

MAC Address:52:54:00:0D:B8:D7(QEMU Virtual NIC)

Nmap scan report for192.168.122.1

Host isup.

Nmap done:256IP addresses(2hosts up)scanned in4.88seconds

Udp ping is like tcp ping. Here you can specify data-length for packet which is randomly chosen payload.

1

2

3

4

5

6

7

8

9

[root@dell~]# nmap -sn --data-length 500 -PU514 192.168.122.0/24

Starting Nmap6.45(http://nmap.org ) at 2014-08-03 07:52 EEST

Nmap scan report foropenstack(192.168.122.146)

Host isup(0.00021slatency).

MAC Address:52:54:00:0D:B8:D7(QEMU Virtual NIC)

Nmap scan report for192.168.122.1

Host isup.

Nmap done:256IP addresses(2hosts up)scanned in4.88seconds

ICMP ping types are used for ping icmp types. The mostly used and helpful is echo . This type of scan pings all of the hosts

1

2

3

4

5

6

7

8

9

[root@dell~]# nmap -sn -PE 192.168.122.0/24

Starting Nmap6.45(http://nmap.org ) at 2014-08-03 07:55 EEST

Nmap scan report foropenstack(192.168.122.146)

Host isup(0.00022slatency).

MAC Address:52:54:00:0D:B8:D7(QEMU Virtual NIC)

Nmap scan report for192.168.122.1

Host isup.

Nmap done:256IP addresses(2hosts up)scanned in4.88seconds

Protocol list is used to specify ip protocol numbers. As you know icmp,tcp,udp,igm and similiar protocol numbers specified in ip packet header. Here we can set this numbers. For example udp is 17. This type of scan is not reliable so I skip it.

Resolving dns can slow down scan or it may be unnecessary . So we can stop dns resolving with -n option or force it with -R option. If we want to use system specified dns use –system-dns or want to specify manual dns servers use –dns-servers 8.8.8.8